Does Security Have to be Technical?

I had been a software engineer for at least 3 years specializing in digital security. A month ago, I attended a small workshop which talked about IT Security for corporate and the speaker said this somewhere in the middle of the workshop:

“Security is a process. It does not have to be really technical and the most important part is the process.”

I stunned for a while and suddenly my mind wondered away from the workshop deeply thinking, what is the speaker trying to deliver? I started this serious thinking simply because it is not said by some non-technical or sales person. Instead, the person speaking in front of me is a Certified Ethical Hacker.

A padlock key on a keyboardAt the end of the workshop, I begin to understand what he is trying to deliver. After 3 years of writing programs for the benefit of security, I turned out saying that security is a process. Why would I say that? Look around us. All the tech that you need to protect yourself from cyber crime is there. Anti-virus, firewall, anti keylogger, parental control, password manager and many more are all available in the software market. There is no reason for us to say in terms of technology, we are not good enough in security.

What makes so many of us a victim of computer or internet threat is the lack of proper process in computer and internet security. Security is not a short process where you only apply if you need it. For instance, you don’t only apply security when you had just downloaded a file from an unknown site which required a security scan.

Security is an end to end process. This means that the moment your computer boots up, security should be applied until the time your computer shuts down. People usually failed to stay secure simply because they don’t apply security from the very start. Agree?

So what’s your view? Do you still think that security has to be something technical?

Are Antivirus and Firewall Sufficient for Good Security?

Whenever people talk about computer and internet security, they talk about malware which consists of virus, trojan, worms, spyware and many more. When they come to talk about the solution for those threats, the solution is to get an antivirus and firewall to do the work.

The question now is, are they sufficient for a good computer and internet security? I would say ‘No’. It is very irresponsible to put the blame into that awesome software when you become a victim of malware infection. I believe that software like antivirus and firewall are there to help you in achieving good security, but not creating some sort of plasma shield to you.

The reasons why you have a poor security

As I said, you can’t blame the software for being too poor as the reason that you to get infected. Part of the reason why you are infected can be several below.

You are too careless when handling incoming links from email

Incoming links from emails especially from an unknown sender are usually malicious. They don’t lead to valuable site but either phishing site or malicious site. If you happen to land on a malicious site, your computer will most probably infected with virus, trojan, or worm the next minute.

If you don’t update and patch your operating system, the wounded area is the target for hackers

Sad to say, there is no such thing such as perfect software. Software is always 95% complete where 5% is the section for bugs and vulnerabilities to exist. It is the matter of time whether those vulnerabilities are found.

If the creator happened to find those vulnerabilities before the bad guys, they will still able to patch the wounded area. So if you don’t update and apply the patch, you will the one targeted by hackers to exploit your vulnerabilities.

You are the owner of your computer, not the administrator

Many of us think that being the owner of the computer means being the administrator as well. But do you know that Microsoft did not design it this way for us? There is an option to create a Standard User and there is User Account Control (UAC) so that we will use our computer in the way that we don’t have full privileges to do everything, same goes to the hacker.

A set of keysBy having a strict UAC, you will realize that every single time you run an application that might affect your System files, you will be asked for permission. The benefit here is, if a hacker tries to run an application to harm your system files, I bet you will know it as well when your UAC pops up.

My verdict to poor security

Having a bad security does not mean your antivirus is not efficient enough or your firewall is not solid enough. At times, it is the user who lacks of experience in handling computer threats. As a result, it is important to always stay alert whenever you are browsing the internet.

If you want to learn more about security, you can grab my copy of eBook for free on how to Build Your Own Security.

5 Most Popular Two-Factor Authentication Security Devices

As we had discussed before, one-factor authentication is not sufficient in order to have good security. Especially when we talk about sensitive transaction such as banking transactions, it is not secure anymore today if it were done only using username and static password.

Two-factor has to come into the IT security field to ensure that the correct person is authenticated. The items below are the five most popular methods used for any two-factor authentication.

1. Mobile OTP

Mobile One-Time Password

Mobile One-Time Password (OTP)

A very popular and cost saving method is to use a SMS gateway and send OTP (one-time password) to a mobile phone user. This method is used widely simply because everyone has a mobile phone today which means everyone can use two-factor authentication as long as the host of the application willing to invest and provide this service.

2. OTP Token

One-Time Password Token

One-Time Password (OTP) Token

OTP token works more or less the same as the Mobile OTP. The difference is that this is a separate device and the OTP can be generated immediately instead of waiting for the SMS gateway to send. As a result, it is more reliable than the Mobile OTP but additional cost needed to have this device.

3. PKI USB Token

Public Key Infrastructure Token

Public Key Infrastructure (PKI) Token

PKI USB Token offers the second best security in the market by beating off man in the middle attack such as phishing attack. However, PKI implementation needs an infrastructure where it is going to be costly. Due to the cost matter, PKI is not well known in certain countries as people will go for OTP to have the balance of security and investment cost.

4. EMV Cap OTP with Signature

Europay, MasterCard and VISA Cap One-Time Password with Signature

Europay, MasterCard and VISA (EMV) Cap One-Time Password (OTP) with Signature

EMV Cap OTP offers the best security around as it not only beats off the man in the middle attack, but also the man in the browser attack. This is simply because the user needs to sign the transaction using the EMV card reader instead of the web browser. As a result, the Trojan of the man in the browser will no longer work. The drawback is that, signing with transaction device can be a tedious thing to do. The user needs to enter correctly the recipient’s account number and the amount in order to perform the transaction successfully.

5. Out of Band Transaction Detail Verification

Out of Band

Out of Band

This method provides the best security similar to the above and solves as well the weakness of the EMV Cap OTP. What this method does is to send the user the details of the transaction such as the recipient’s account number, amount and the OTP code via non-internet channel such as voice call or SMS. The user will verify those details given and confirm the transaction by submitting the OTP code into the web browser. This gives great security but not anything more after that. Unlike PKI, that piece of digital certificate can do not only authentication signing, but also document signing, PDF signing or even data encryption.

Nothing is perfect in this world where everything has its good and bad. You have to clearly define what you want and I’m sure you can find the device that is suitable to you.